policy briefings template copy - Squarespace

7 downloads 162 Views 300KB Size Report
storage of data between EU and U.S. governments and companies. ... apps would have to let users know what data they were
Policy Briefing Data Transfers without Safe Harbour: What You Need to Know The new EU-U.S. Privacy Shield replaces Safe Harbor, sets new data protection standards and gives companies legal certainty for transatlantic data flows. The agreement also strengthens collaboration between EU Data Protection Keeping An Eye On Washington Authorities and the US Federal Trade Commission, includes mechanisms to settle disputes, and recognises the alternative data-transfer mechanisms that were adopted after the invalidation of Safe Harbour. The Privacy Shield has been accepted by the College of Commissioners and submitted to Data Protection Authorities for assessment, comment, and final approval. In the U.S., the Department of Commerce has already approved the agreement and is awaiting EU final action. We expect to see privacy shield in force by late spring to early summer.

Key Facts ● In October 2015, the EU’s highest court struck down Safe Harbour, the framework guiding the collection, transfer, and storage of data between EU and U.S. governments and companies. ● The new agreement, dubbed “Privacy Shield,” was recently reached by EU and U.S. negotiators. The agreement is not yet in force, and now enters a comment period. It will be followed by the national Data Protection Authorities’ assessment and the approval of of EU Commissioners. ● The agreement would enable businesses to collect, transfer and store personal data while meeting certain privacy standards. ● European and American companies have found themselves in a state of limbo since Safe Harbour was struck down, and now need the regulatory certainty provided in Privacy Shield. In the meantime, digital businesses can adopt alternative transfer mechanisms that allow them to continue transferring data across the Atlantic.

Many developers have raised concerns about how they should handle data transfers to and from the United States. For those whose businesses rely on transatlantic data flows, guidance that may be useful during the transitional period from Safe Harbour to Privacy Shield are on the next page.

Policy Briefing While we wait on Privacy Shield - Data Transfer Exceptions In principle, companies cannot transfer data to countries that the EU deems are inadequately protecting personal and sensitive data. However, the current EU Data Protection Directive provides a list of four specific derogations (exceptions) that allow businesses to transfer data to foreign countries, even if they do not guarantee high data protection standards, like those applied in Europe. According to the rules: • It is possible to transfer data outside the EU when the user gives their unambiguous prior consent. For example, apps would have to let users know what data they were collecting and also get the user's consent each and

• • •

every time they collected data. Data transfers can still take place if they are necessary for software to work in accordance with a contract between the developer and the user (e.g. financial transactions)This usually happens when making hotel reservations, or when payment information is transferred to a third country for a bank transfer[BB1] Data transfers can also take place when it is necessary for the conclusion of a contract between an app developer and the third party, and only when the transfer is made in the user’s interest; for example, when a travel agent forwards the details of a flight booking to an airline. Finally, In case of on-going legal claims, you can transfer data when it is necessary for the judicial procedure. For example, when a company needs to transfer data to defend itself against a legal claim, or to make a claim in court or before a public authority.

If you’re still unsure… These can be very tricky to understand, and for legal reference, take a look at Art. 26. For further information, check out these FAQs and the guidance issued and best practices collected by the Data Protection Authorities here. If you have any doubts, seek legal help; this stuff is important to get right!

Contract Clauses to Protect Data Transfers: Companies headquartered in the EU can adopt specific contractual clauses that set transfer terms to ensure validity and lawfulness. To streamline the process, the European Commission pre-approved and published different lists of Standard Contractual Clauses. These are valid in all the Members States and national authorities are required to accept them. The clauses can be quite stringent, and companies should seek counsel or assistance before enacting to ensure compliance and that they do not conflict with existing company policies or contracts.

Third Party Cloud Service Exceptions: Some larger cloud providers offer Model Clauses to their customers, regardless of the business’ dimension or size. For example, Google has added the Contract Clause to its administrative interface for Google for Work and for Google Apps, and Microsoft executes Model Clauses and provides a pre-signed data processing agreement for execution and storage purposes in European companies. Amazon is also willing to execute Model Clauses and offers further information here.

Policy Briefing Read More About Safe Harbour and EU-U.S. Privacy Shield • • • • • •

Data Transfers without Safe Harbour: What You Need to Know EU.US Privacy Shield: European Commission Communication and Press Release Transatlantic Data Flow Deal Reached Small Businesses Need Quick Actions on Safe Harbour EU’s Highest Court Puts Digital Small Business at Risk by Invalidating Data Protection Safe Harbour Safe Harbour Update

Stay updated As Privacy Shield enters the final stretch of consideration, businesses should know that without one of the above alternative data transfer mechanisms, they could run into legal trouble. Privacy Shield has been accepted by the College of Commissioners and submitted to Data Protection Authorities for assessment, comment, and final approval, which is likely to come sometime in April. Until then, be sure to employ an alternative mechanism and seek legal advice when necessary. If you have any questions regarding any of the above data transferring alternatives, please feel free to reach out to the Alliance Policy team.

EMAIL: [email protected]